I just happened to read one of the technotes at Adobe's site, which says Authorization header is allowed for Flash Player 9.0.115.0 onwards. If you are trying to send request to another domain (different from the one hosting the SWF), a crossdomain-policy file is required.